It’s been a roller coaster week for Android owners as word got out earlier this week that essentially all (99.7%) Android smartphones are leaking login data for Google services, and could allow other access to information stored in the cloud. This claim was made by German security researchers Bastian Könings, Jens Nickels, and Florian Schaub from the University of Ulm. The vulnerability is observed in apps that use the ClientLogin authentication protocol in Android 2.3.3 and earlier. The ClientLogin API is meant to be increase security and performance, because Google’s servers need only check your login information once. Usernames and password are sent once, and thereafter the apps use a token instead.

Lifehacker explains how this vulnerability can be exploited:

Unless your device is one of the 1% with Android 2.3.4, those credentials—for Google Calendar, Twitter, Facebook, and other accounts—are submitted in the clear. This can give attackers access to those accounts if you unwittingly connect to an unencrypted wireless network set up by the attacker.An attacker only needs to set up a Wi-Fi access point with a common SSID name, such as “starbucks” or “attwifi” (an evil twin network), and when your Android phone tries to automatically connect, the hacker can capture the authentication tokens for your accounts.

Then, later in the week, Google announced that it had started rolling out a silent fix. They’ve implemented a server-side patch that will close the security whol for all version of Android. This fix will go out silently, without users having to download or update their apps. The fix should be out by the end of the week, and will force all servers to use an encrypted HTTPS. Obviously, a fix is good for everyone, but it raises concerns about how fast a patch could roll out for a serious security flaw, considering that Google is so reliant on manufacturers and carriers to push out OS updates.

The takeaway here, as a developer, is that it’s important to not rely on an OS for security alone. Both Google and Apple have testified in front of Congress about privacy and their respective platforms. Remember to think about your users and how they value their information. More and more companies are using HTTPS, even Twitter and Facebook have HTTPS features. Privacy and vulnerabilities are serious, hot button issues for the community, so don’t let your app become the next poster child for security issues.

Have any tips or suggestions when it comes to app development and security/privacy? Leave a comment, send an email, or shout on Twitter.

The Ericsson ConsumerLab has a report out today that shows a third of users reach for their phone and open apps before before they even get out of bed.

On top of that, 18% of consumers are booting up a social networking app before they get up, and 10% are using them on trains, planes, and automobiles while commuting.  34% of consumers are using apps later into the evening, and 20% are using apps instead of counting sheep in bed right before going to sleep.

The graph above shows an interesting change in consumer’s user of the Internet in a constantly connected world. With the increase of availability of tablets, phones, and net books, consumers are moving from using the Internet in ‘chunks’ to using it in smaller spurts reflective on the spontaneity that these new devices allow.

What does this mean for developers? It’s important to be writing apps that allow for that kind of impulsive Internet use. This can mean creating apps that a user can use for shorter periods of time throughout the day, or one with useful push messages that someone can read before they get out of bed. Regardless of what this means to you as a developer, this report is a testament to way that apps are becoming an integral part of people’s lives.

Check out the full survey here.

GetJar has just released its App Meter report for Q2 2011. It features an in-depth survey report by GetJar CMO, Patrick Mork.